NSA key in MSFT Crypto API
Andrew Fernandes tonight published the results of his reverse engineering of Microsoft's Crypto API (CAPI). [This builds on work done by Nicko van Someren from nCipher]. Background: MSFT CAPI comes pre-installed with two keys used to check the validity of a Cryptographic Service Provider (CSP). The holder of either key can install operating system security services without user authorization. The first key is used by MSFT to sign their own security services modules. The identity of the second key holder until now been unknown. That is to say until MSFT forgot to strip the binary of NT4 SP5 off debugging symbols. Perhaps not surprisingly, the debugging symbol for the second key is... _NSAKEY, For more information and a program to remove the NSA's key from your copy of Windows 95, 98, NT, 2000, see http://www.cryptonym.com/hottopics/msft-nsa.html Note that Windows 2000 includes not just two keys, but three keys that can sign modules that will control security services on your copy of Windows. Word has it that the third key belongs to the FBI. So far, there has been no independent confirmation of this rumor. --Lucky Green [EMAIL PROTECTED]
RE: NSA key in MSFT Crypto API
For more information and a program to remove the NSA's key from your copy of Windows 95, 98, NT, 2000, see http://www.cryptonym.com/hottopics/msft-nsa.html Perhaps more interestingly, the program lets you replace the key, too. It requires no special privileges -- just uses some undocumented API's. It would be ...interesting... for someone to combine that program with Melissa, where the body of the messages was a public/private keypair. /r$
RE: NSA key in MSFT Crypto API
In [EMAIL PROTECTED], on 09/03/99 at 11:49 AM, "Trei, Peter" [EMAIL PROTECTED] said: The ability to replace the NSA key with another is an extremely serious vulnerability. This means that *anyone* - not just the NSA - can write a compromised module and install it on the target, as long as they also replace the NSA key with the one they used to sign the weakened module. Tripwire, anyone? It's very simple, DO NOT USE WINDOWS!! This is a compromise in only one API. God only knows what they have done to compromise security in the millions of lines of code that no one outside of Redmond has ever seen. Windows is compromised!! Microsoft is in bed with the Federal Government. There is *no* security on a system running their software. Those who continue to do so get exactly what they deserve. -- --- William H. Geiger III http://www.openpgp.net Geiger ConsultingCooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP MR/2 the only way for secure e-mail. OS/2 PGP 5.0 at: http://www.openpgp.net/pgp.html Talk About PGP on IRC EFNet Channel: #pgp Nick: whgiii Hi Jeff!! :) ---
RE: NSA key in MSFT Crypto API
The ability to replace the NSA key with another is an extremely serious vulnerability. This means that *anyone* - not just the NSA - can write a compromised module and install it on the target, as long as they also replace the NSA key with the one they used to sign the weakened module. Tripwire, anyone? Peter Trei -- From: Salz, Rich[SMTP:[EMAIL PROTECTED]] Sent: Friday, September 03, 1999 10:42 AM To: 'Lucky Green'; cypherpunks@Algebra. COM Cc: Cryptography@C2. Net; [EMAIL PROTECTED] Subject: RE: NSA key in MSFT Crypto API For more information and a program to remove the NSA's key from your copy of Windows 95, 98, NT, 2000, see http://www.cryptonym.com/hottopics/msft-nsa.html Perhaps more interestingly, the program lets you replace the key, too. It requires no special privileges -- just uses some undocumented API's. It would be ...interesting... for someone to combine that program with Melissa, where the body of the messages was a public/private keypair. /r$
More details on Operation Broken Glass
Looks like last night was a kind of crypto-Kristallnacht, ja? Cheers, RAH (Who's not too shameless to plug FC00, here, in light of the Nicko and Adi's URL, below) --- begin forwarded text Date: Fri, 3 Sep 1999 10:03:57 -0700 Reply-To: Law Policy of Computer Communications [EMAIL PROTECTED] Sender: Law Policy of Computer Communications [EMAIL PROTECTED] From: Greg Broiles [EMAIL PROTECTED] Subject: Re: Warning about Installation of Software -- Don't be fooled by NSA To: [EMAIL PROTECTED] At 09:33 AM 9/3/99 , David Lesher wrote: and I respectfully ask all the smart computer-savvy folks who read this message to check out this rumor and confirm whether it is a hoax, or whether it is for real. Your imput and wisdom is greatly appreciated. But note that the meat of the story requires you do no such thing. (More importantly, I can not see his claimed Crypto 99 rump session talk on the schedule) I spoke with a friend last night who attended the rump session at Crypto, who confirmed that the talk was given. The existence of the second key was discovered by a crypto researcher who had the insight that looking inside the executable for areas of unusually high entropy might prove revealing - he found two such areas, each1024 bits long (exactly the length of the Crypto API public key), where the design of Crypto API would only have required one .. leading to further investigation and disassembly of the code. One approach to independent verification would be to repeat the initial investigation - look through the RSABASE.DLL file in your \WINDOWS\SYSTEM directory looking for relatively high-entropy sequences. A paper describing this technique is available at http://www.ncipher.com/products/files/papers/anguilla/keyhide2.pdf, and C code purporting to implement that seach is available at http://www.hedonism.demon.co.uk/paul/download/ncheck.c. -- Greg Broiles [EMAIL PROTECTED] PGP: 0x26E4488C --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: [dc-sage] Microsoft, the NSA, and you... (fwd)
--- begin forwarded text Date: Fri, 3 Sep 1999 16:32:38 -0400 Reply-To: Law Policy of Computer Communications [EMAIL PROTECTED] Sender: Law Policy of Computer Communications [EMAIL PROTECTED] From: David Lesher [EMAIL PROTECTED] Subject: Re: [dc-sage] Microsoft, the NSA, and you... (fwd) To: [EMAIL PROTECTED] This is long and nerdy, but think it's worthwhile. Bugtraq, in general, is a place real security types hang out, although I can't speak re: Ross (As I don't claim to know more than a few crypto types; draw no conclusion from that.) I'll assume NTBugtraq is similar. Here's the NTBUGTRAQ post == From [EMAIL PROTECTED] Fri Sep 3 16:01:34 1999 Date: Fri, 3 Sep 1999 15:57:43 -0400 From: Russ [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Alert: CryptoAPI and _NSAKey issue -BEGIN PGP SIGNED MESSAGE- This is also available at http://ntbugtraq.ntadvice.com/_nsakey.asp Whoa horsie... I had a long chat with Andrew Fernandes this morning, as well as another chat with others, and of course I've had a ton of messages sent my way with various links to various stories about the issue. I wanted to get a few things straight before I sent this message, but given how quickly things are spreading it makes sent to send something interim. Ok, so here's what I can tell you. 1. Andrew's speculation about the _NSAKEY being a backdoor for the NSA is based on; a) The variable is called "NSA". b) Its a second key, not known to exist in Windows previously. c) What possible purpose would a second key serve? d) Its presence, arguably, weakens CryptoAPI (Andrew explains this on his website at http://www.cryptonym.com/hottopics/msft-nsa.html, I'll elaborate more later. 2. Sources close to Microsoft say that the key is a "Backup" key. It is owned by Microsoft, and only Microsoft have the private key to it. The key was named "_NSAKEY" because the NSA insisted that Microsoft include a backup key in their CryptoAPI before the Commerce Department would approve its inclusion in NT 4.0. Editorial - - There's a bunch of somewhat understandable furor going on over the idea that the NSA might have a backdoor to Windows. Unfortunately, however, all of this is based on a variable name. Anyone who programs knows that variables might get named anything for a variety of reasons. One would expect that they would be named descriptively, but alas, not everyone follows such stringent conventions (can you spell "Easter Egg"?). The Conspiracy Theorist's theory goes; - - - - The NSA has a signing key on your box. - - The NSA can implant a Trojan to replace the module which performs encryption on your box with one that doesn't perform encryption, and because the failure of signature verification against Microsoft's key is silent, they can get their trojan'd app up and running without you being any the wiser. - - The NSA can then sniff your traffic, now being conducted in plain-text. There's obviously a ton of variations possible on this theory, they take your private key, they replace your key with another, etc... They only have to get a Trojan to you and get you to run it, and as those same Conspiracy Theorists always say, speculationthere's likely bugs in the OS designed to allow them to do this.../speculation Yeah, could be true. My take from Microsoft's Perspective; - - - We want to have one build of our products that simultaneously supports weak or strong encryption functionality. - - We want to be able to ship this one product world-wide, changing as few bits as possible for those that are being shipped outside the U.S. and Canada. - - We'll build an API (good, bad, or otherwise) that allows the controlled bits to be inserted into an infrastructure, then get the infrastructure approved, and all will be good. - - Commerce (with advice from lots of people including the NSA), agrees, and tells Microsoft they have to sign everything that can use the infrastructure. That way, Microsoft can ship its product anywhere, and Commerce will know that only those products that have been signed by Microsoft will be able to run on the OS. - - You want to build a Cryptographic Service Provider (CSP), the module that performs the encryption, you gotta get Microsoft to sign it for it to run. Microsoft doesn't sign anything that doesn't have the appropriate Commerce Department Export approvals first. Wonderful, life's good, Microsoft doesn't have to manage multiple versions based on Crypto-strength, folks can implement whatever crypto they want (assuming its Commerce approved). Oh, the second key, I almost forgot; - --- I'm told the NSA insisted there had to be a backup. No explanation as to why yet, that's what I've been told. One theory that made a lot of sense to me was the simple idea of; What happens if
Policy page redux?
Shades of the plaintext-embedded-in-the-executable Netscape "policy page"? Or is it just more stupid Microsoft crypto programming? Father Occam prefers the latter, but you never know... Cheers, RAH --- begin forwarded text Date: Fri, 3 Sep 1999 15:34:04 -0300 Reply-To: Law Policy of Computer Communications [EMAIL PROTECTED] Sender: Law Policy of Computer Communications [EMAIL PROTECTED] From: "Peter D. Junger" [EMAIL PROTECTED] Subject: Re: FW: Warning about Installation of Software -- Don't be fooled by NSA Rumors To: [EMAIL PROTECTED] Status: U Mark Shea writes: : There is a discussion of this issue at : http://www.slashdot.org/articles/99/09/03/0940241.shtml : http://www.slashdot.org/articles/99/09/03/0940241.shtml today. One of the : more informed and thoughtful posts (IMHO) was from a Windows coder who has : been working with this API for over a year. His/her comments can be seen at : http://www.slashdot.org/comments.pl?sid=99/09/03/0940241 : http://www.slashdot.org/comments.pl?sid=99/09/03/0940241cid=56 cid=56 . : I recommend, however, you take a look at the whole discussion. It is fairly : lively. I always get lost on /. but I was able to read some of the messages and some of the original material posted on the Internet. Apparently this bit of stupidity is more of an opportunity than a threat. As I understand it, the various versions of MSWindows include a Crypto Applications Program Interface---I don't really know about this, being much to snobbish to use Microsoft products---where one can plug in encryption modules. But the government would not let Microsoft export its Windows systems with this API unless it was crippled so that one could not plug in strong crypto. So the solution was to require that any crypto software installed on a MSWindows machine had to be signed by Microsoft using a public key. (I'm not quite sure of the type of key that was used.) So this crypto API contains a key that can be used to make sure that Microsoft has signed an appplication, and if an application is strong crypto it won't be signed by Microsoft and thus will not run under MSWindows. If you remove this Microsoft key from your Windows box, then you can't run any crypto applications (that use the crypto API). But now it turns out that some genius added a second key, called apparently the NSAKEY, to the API and that a crypto apllication will run if it is signed by either of the keys. You can remove the NSAKEY and anything signed by Microsoft will still run, but programs signed by NSA won't run (unless, I guess, they are also signed by Microsoft). And---and this is the good part---you can not only remove the NSAKEY, you can replace it with your own key, and then run any crypto applications programs that you want, no matter how strong! This effectively allows one to ignore the export controls on crypto applications that run on MSWindows. At least that is my understanding. If I am right, the question becomes whether the replacable second key is the result of stupidity---or of sabotage. -- Peter D. Junger--Case Western Reserve University Law School--Cleveland, OH EMAIL: [EMAIL PROTECTED]URL: http://samsara.law.cwru.edu NOTE: [EMAIL PROTECTED] no longer exists --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
IP: Microsoft Letting Government Snoop
--- begin forwarded text From: "Dan S" [EMAIL PROTECTED] To: "isml" [EMAIL PROTECTED] Subject: IP: Microsoft Letting Government Snoop Date: Fri, 3 Sep 1999 20:33:46 -0400 Sender: [EMAIL PROTECTED] Reply-To: "Dan S" [EMAIL PROTECTED] From http://www.news-real.com/apnews/19990903/21/01/5687004_st.html - Microsoft Letting Government Snoop Associated Press WASHINGTON (AP) -- [ Microsoft Corp. ] sought to assure consumers Friday that it did not insert a secret backdoor in its popular Windows software to allow the U.S. government to snoop on their sensitive computer data. The sensational charge of a quiet alliance between Microsoft and the U.S. National Security Agency came after a Canadian programmer stumbled across an obscure digital "signing key" that had been labeled the "NSA key" in the latest version of Microsoft's business-level Windows NT software. An organization with such a signature key accepted by Windows could theoretically load software to make it easier to look at sensitive data -- such as e-mail or financial records -- that had been scrambled. The flaw would affect almost any version of Windows, the software that runs most of the world's personal computers. Microsoft forcefully denied that it gave any government agency such a key, and explained that it called its function an "NSA key" because that federal agency reviews technical details for the export of powerful data-scrambling software. "These are just used to ensure that we're compliant with U.S. export regulations," said Scott Culp, Microsoft's security manager for its Windows NT Server software. "We have not shared the private keys. We do not share our keys." The claim against Microsoft, originally leveled by security consultant Andrew Fernandes of Ontario on his Web site, spread quickly in e-mail and discussion groups across the Internet, especially in those corners of cyberspace where Microsoft and the federal government are often criticized. Culp called Fernandes' claims "completely false." An NSA spokesman declined immediate comment. Bruce Schneier, a cryptography expert, said the claim by Fernandes "makes no sense" because a government agency as sophisticated as the NSA doesn't need Microsoft's help to unscramble sensitive computer information. "That it allows the NSA to load unauthorized security services, compromise your operating system -- that's nonsense," said Schneier, who runs Counterpane Internet Security Inc. "The NSA can already do that, and it has nothing to do with this." Fernandes, who runs a small consulting firm in Canada, said he found the suspiciously named "NSA key" -- along with another key for Microsoft -- while examining the software code within the latest version of Windows NT. The existence of the second key was discovered earlier by other cryptographers, but Fernandes was the first to find its official name and theorize about its purpose. "That (the U.S. government) has ... installed a cryptographic back door in the world's most abundant operating system should send a strong message to foreign (information technology) managers," he warned on his Web site. But Fernandes seemed less worried Friday in a telephone interview. "I don't know that they have reason to lie," he said. "The main point is, you can't really trust what they're saying. They've been caught with their hand in the cookie jar. In fact, I think they're being fairly honest, but you don't know what else is in Windows." Publication Date: September 03, 1999 Powered by NewsReal's IndustryWatch -- Dan S ** To subscribe or unsubscribe, email: [EMAIL PROTECTED] with the message: (un)subscribe ignition-point email@address ** www.telepath.com/believer ** --- end forwarded text - Robert A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: NSA key in MSFT Crypto API
Wired.com: "The key is a Microsoft key -- it is not shared with any party including the NSA," said Windows NT security product manager Scott Culp. "We don't leave backdoors in any products." "The only thing that this key is used for is to ensure that only those products that meet US export control regulations and have been checked can run under our crypto API (application programming interface)," Culp said. "It does not allow anyone to start things, stop services, or allow anything [to be executed] remotely," he said. "It is used to ensure that we and our cryptographic partners comply with United States crypto export regulations. We are the only ones who have access to it." So is this NSAKEY actually used to validate ay CSPs? Are there CSPs out there which depend on this key, CSPs which have passed crypto export review? If so, the claims that the key can be removed without impact are false. If not, Carp's explanation cannot be believed. Someone should ask Carp if export-approved CSPs use this NSAKEY, as he implies. If they don't, and if export-approved CSPs are signed with the regular Microsoft key instead, he should be made to explain what exactly this key is used for.
RE: NSA key in MSFT Crypto API
It's not clear to me why being able to sign CSP modules is a risky thing anyway; all it means is that Windows will load and execute your crypto. The mechanism is designed to keep overseas end users from being able to build and install strong crypto libraries. If the NSA has a key, all they can do is vouch for their libraries as export-qualified and thus enable their use. It's not a secret backdoor or anything, and modules need to be on the machine before their signatures are checked. If I can get you to execute code on our Windows machine, I can penetrate your security, period. These authorizing signatures have nothing to do with it. Even if the key belongs to the NSA, I suspect that the NSA just wanted to be able to load classified Crypto Service Providers into Windows and didn't want to have to send said classified software to Microsoft for approval, so they got the key installed so they could approve software in house. - Tim Tim Dierks VP of Engineering, Certicom [EMAIL PROTECTED] 510.780.5409 [Hayward] -- 905.501.3791 [Mississauga]
RE: NSA key in MSFT Crypto API
On Fri, 3 Sep 1999, Tim Dierks wrote: Even if the key belongs to the NSA, I suspect that the NSA just wanted to be able to load classified Crypto Service Providers into Windows and didn't want to have to send said classified software to Microsoft for approval, so they got the key installed so they could approve software in house. Classified crypto is done in secure hardware. Any hypothetical CSP's the NSA needs to install on their own machines would not contain classified algorithms. Hence the NSA could submit them to Microsoft for signing. I am afraid the NSAKEY in CAPI has a different purpose than allowing the NSA to secure their own communications. -- Lucky Green [EMAIL PROTECTED] PGP v5 encrypted email preferred.
Re: NSA key in MSFT Crypto API
Here's what I said about this on another list: I must admit that this doesn't make much sense to me. I was at Crypto, but I must have missed the rump session talk in question (and it's entirely possible that the talk occurred anyway - I was out of the room for a good deal of that session). In any case, non-Crypto people should remember that the "rump session" consists of entirely entirely unreviewed talks each lasting about five minute. It is *not* a peer-refereed part of the Crypto conference, just a place for people to announce new or minor results. It is very easy to get a rump session slot, and people say bogus things at the rump session all the time. That said, I don't understand the point. If the NSA wanted Microsoft to quietly compromise the CAPI install mechanism (which is supposed to require Microsoft's digital signature on the installed module - thereby preventing the installation of non-US crypto and allowing CAPI OS's to be exported), it would be *much* easier to do any of the following: - Convince MS to tell them the secret key for MS's signature key - Get MS to sign an NSA-compromised module. - Install some module other than CAPI to compromise the OS (only CAPI modules require the signature). Regardless of the mechanism used, NSA still would still have to convince the owner of the computer in question to install the compromised module (perhaps by exploiting one of the other bugs in the OS, which is admittedly probably easy enough to do). Finally, assuming that MS has two public CAPI-install keys in windows, and someone discovered this, how would they know that one of the corresponding secret keys is held by NSA? From looking at the web page in question, it appears that the evidence consists entirely of the fact that one of the CAPI keys has an internal symbol name of "_NSAKEY". Since anyone with a debugger and a copy of an MS OS can find this symbol, if this is intended as some kind of covert mechanism, it's not very well hidden. -matt
Re: NSA key in MSFT Crypto API
http://www.cryptonym.com/hottopics/msft-nsa.html Perhaps more interestingly, the program lets you replace the key, too. Microsoft prevents third parties from installing un-authorized crypto code under CAPI by checking the signature on the code. Under their export deal, they refuse to sign anyone's non-US code that does strong crypto. So if you want to add your own strong crypto, you need to sign it with a key that the CAPI recognizes. You could patch out Microsoft's key but then the Microsoft modules won't load properly. It works better to patch out NSA's key with your own -- then you can load both your own crypto code and all the standard MS stuff. John
Paul Brown on Solitiare randomness flaw?
Does anyone (or you, Bruce?) have a URL handy to/for an paper (by
Paul Brown in the UK?) speculating on a RNG weakness in Solitiare's
(Bruce's playing card cipher)? I've been searching the web
unsuccessfully. The paper may mention it as "Pontifex", as it was
referred to in "Cryptonomicon." The implication is that it may not be
as secure as I'd hoped, and that I should *not* train some human
rights people on how to use it in the field...
TIA,
dave
"Riding tandem with the random, things don't work the way I've planned 'em."
--Peter Gabriel ("Humdrum")
